Counting the hidden cost of a data breach

The average cost of a data breach in South Africa is R36,5-million, up from R32-million in the 2017 report, while the average number of breached records increased by 6,31% to 21 090.

Meanwhile, the hidden cost of data breaches includes lost business, negative impact on reputation and employee time spent on recover – and these are difficult and expensive to manage.

Sponsored by IBM Security and conducted by Ponemon Institute, the 2018 Cost of a Data Breach Study Data analyses hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.

“While highly publicised data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” says Wendi Whitmore, global lead for IBM X-Force Incident Response and Intelligence Services (IRIS). “The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.”

For the past three years, the Ponemon Institute has examined the cost associated with data breaches of less than 100 000 records, finding that the costs have steadily risen over the course of the study.

The average cost of a data breach was R36,5-million in the 2018 study, compared to R32-million in 2017 – representing a 12,2% increase from the prior year. In 2016, the average cost of a data breach was R28,6-million.

The study also examines factors which increase or decrease the cost of the breach, finding that costs are heavily impacted by the amount of time spent containing a data breach, as well as investments in technologies that speed response time.

* The average time to identify a data breach in the study was 150 days, and the average time to contain a data breach once identified was 40 days.

* The three root causes of data breaches were identified as malicious or criminal attack (45%), human error (30%) and system glitches (25%).

* On average, malicious or criminal attacks took 163 days to identify and 45 days to contain. Human error breaches took 139 days to identify and 33 days to contain.

* Detection and escalation costs also increased, rising from R9,5-million in 2016, to R11,6-million in 2017 and R12,3-million in the 2018 study.

The amount of lost or stolen records also impacts the cost of a breach, costing R1 792 per lost or stolen record on average – a 9,35% increase from 2017.

The study examined several factors which increase or decrease this cost:

* The extensive use of encryption;

* Board-level involvement in data breaches; and

* The use of an AI platform for cybersecurity reduced the cost.

Globally, the study also calculated the costs associated “mega breaches” ranging from 1-million to 50-million records lost, projecting that these breaches cost companies between $40-million and $350-million respectively.

In the past five years, the amount of mega breaches (breaches of more than 1-million records) has nearly doubled – from just nine mega breaches in 2013, to 16 mega breaches in 2017. Source: IBM analysis of Privacy Rights Clearinghouse’s Chronology of Data Breaches Due to the small amount of mega breaches in the past, the Cost of a Data Breach study historically analysed data breaches of around 2 500 to 100 000 lost records.

Based on analysis of 11 companies experiencing a mega breach over the past two years, this year’s report uses statistical modelling to project the cost of breaches ranging from 1-million to 50-million compromised records. Key findings include:

* Average cost of a data breach of 1-million compromised records is nearly $40-million dollars globally.

* At 50-million records, estimated total cost of a breach is $350-million dollars.

* The vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error).

* The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days).

For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly $118-million for breaches of 50-million records – almost a third of the total cost of a breach this size.